section25
asked on
Cisco 850 config question
I have configured a new Cisco 850 router for use with my network. Everything seems fine except for one lingering issue: I can't get to certain web sites.
- I am using NAT for resolving ip addresses to my web server and email server and that works fine.
- I have firewall settings set to 'high' and everything seems normal.
I can get to almost every web site I try with a few exceptions:
- I can't get to anything on Yahoo.com
- I can't log in to this web site experts-exchange.com (I am using a different location to write this).
- I can't get to Kodak's Easy Sharre web site
- plus a few others
I don't really care about the web sites themselves, but I think there is an underlying issue with the router that is causing the problem. Could someone please take a look at the config file and let me know if there are any obvious problems.
Thanks.
!This is the running config of the router: 192.168.1.1
!-------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Section25
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$h4R1$JgMNFA9E5T
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 68.11.16.30 68.1.208.30
default-router 192.168.1.1
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name section25.net
ip name-server 68.11.16.30
ip name-server 68.1.208.30
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.
server deny name webmessenger.msn.com
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-3238121151
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3238121151
!
!
crypto pki certificate chain TP-self-signed-3238121151
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323338 31323131 3531301E 170D3032 30333031 30303432
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333831
32313135 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCD1 43503DB7 3B2330A8 9EB955EC FD726316 17444FCA 493846E4 920F5163
BB9E155C 6E15B192 99F4F589 F12286AB B0832C07 D2D99E6E 1C538AFF 32CFC871
E688218E 7742B9ED E77C51B9 43765ABC A2F55A43 FCC2B7E4 5985659E D6DBA439
11CE0076 D75FA9D2 AACB914D A1F8A0C9 952306B7 ABB6DFC2 CFFDE5CC F1C2B44F
934F0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17536563 74696F6E 32352E73 65637469 6F6E3235 2E6E6574
301F0603 551D2304 18301680 14967F15 FC03A875 76D35D6F 952B260F 808D44B9
3B301D06 03551D0E 04160414 967F15FC 03A87576 D35D6F95 2B260F80 8D44B93B
300D0609 2A864886 F70D0101 04050003 818100BA 7491DD11 F5678139 5402C451
3EC8CBF1 5975A977 325EC1B1 ACD1B33E 357E75BA DAF713EA FF90DD94 E2786A4D
9AE4B256 79075A34 946D84F1 3E80FFCE F5EC677E 433F4806 1BDA0359 0A567BB8
99C61B0C C57632C3 DE5306C7 6ACEE424 FC556A67 48F1250C BC4C22CB C1E60635
AAE4BC36 8E8FDD98 C8B0A572 56CEDF54 1A6DE8
quit
username administrator privilege 15 secret 5 $1$50m1$jdy4t
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 98.172.61.226 255.255.255.224
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_HIGH in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 98.172.61.225
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.102 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.102 21 98.172.61.226 21 extendable
ip nat inside source static tcp 192.168.1.102 23 98.172.61.226 23 extendable
ip nat inside source static tcp 192.168.1.102 25 98.172.61.226 25 extendable
ip nat inside source static tcp 192.168.1.102 110 98.172.61.226 110 extendable
ip nat inside source static tcp 192.168.1.102 443 98.172.61.226 443 extendable
ip nat inside source static tcp 192.168.1.102 2525 98.172.61.226 2525 extendable
ip nat inside source static tcp 192.168.1.102 2552 98.172.61.226 2552 extendable
ip nat inside source static tcp 192.168.1.102 25 98.172.61.227 25 extendable
ip nat inside source static tcp 192.168.1.110 80 98.172.61.227 80 extendable
ip nat inside source static tcp 192.168.1.102 110 98.172.61.227 110 extendable
ip nat inside source static tcp 192.168.1.110 443 98.172.61.227 443 extendable
ip nat inside source static tcp 192.168.1.102 2525 98.172.61.227 2525 extendable
ip nat inside source static tcp 192.168.1.102 2552 98.172.61.227 2552 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 98.172.61.224 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 98.172.61.226 eq smtp
access-list 101 permit tcp any host 98.172.61.227 eq www
access-list 101 permit tcp any host 98.172.61.226 eq www
access-list 101 permit udp host 68.1.208.30 eq domain host 98.172.61.226
access-list 101 permit udp host 68.11.16.30 eq domain host 98.172.61.226
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 98.172.61.226 echo-reply
access-list 101 permit icmp any host 98.172.61.226 time-exceeded
access-list 101 permit icmp any host 98.172.61.226 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host 98.172.61.227 eq smtp
access-list 102 permit tcp any host 98.172.61.227 eq 2552
access-list 102 permit tcp any host 98.172.61.227 eq 2525
access-list 102 permit tcp any host 98.172.61.227 eq 443
access-list 102 permit tcp any host 98.172.61.227 eq pop3
access-list 102 permit tcp any host 98.172.61.227 eq www
access-list 102 permit tcp any host 98.172.61.226 eq 2552
access-list 102 permit tcp any host 98.172.61.226 eq 2525
access-list 102 permit tcp any host 98.172.61.226 eq pop3
access-list 102 permit tcp any host 98.172.61.226 eq telnet
access-list 102 permit tcp any host 98.172.61.226 eq ftp
access-list 102 permit tcp any host 98.172.61.226 eq smtp
access-list 102 permit tcp any host 98.172.61.226 eq www
access-list 102 permit udp host 68.1.208.30 eq domain host 98.172.61.226
access-list 102 permit udp host 68.11.16.30 eq domain host 98.172.61.226
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 98.172.61.226 echo-reply
access-list 102 permit icmp any host 98.172.61.226 time-exceeded
access-list 102 permit icmp any host 98.172.61.226 unreachable
access-list 102 permit tcp any host 98.172.61.226 eq 443
access-list 102 permit tcp any host 98.172.61.226 eq 22
access-list 102 permit tcp any host 98.172.61.226 eq cmd
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
- I am using NAT for resolving ip addresses to my web server and email server and that works fine.
- I have firewall settings set to 'high' and everything seems normal.
I can get to almost every web site I try with a few exceptions:
- I can't get to anything on Yahoo.com
- I can't log in to this web site experts-exchange.com (I am using a different location to write this).
- I can't get to Kodak's Easy Sharre web site
- plus a few others
I don't really care about the web sites themselves, but I think there is an underlying issue with the router that is causing the problem. Could someone please take a look at the config file and let me know if there are any obvious problems.
Thanks.
!This is the running config of the router: 192.168.1.1
!-------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Section25
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$h4R1$JgMNFA9E5T
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 68.11.16.30 68.1.208.30
default-router 192.168.1.1
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name section25.net
ip name-server 68.11.16.30
ip name-server 68.1.208.30
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.
server deny name webmessenger.msn.com
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yaho
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-3238121151
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3238121151
!
!
crypto pki certificate chain TP-self-signed-3238121151
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323338 31323131 3531301E 170D3032 30333031 30303432
30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333831
32313135 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BCD1 43503DB7 3B2330A8 9EB955EC FD726316 17444FCA 493846E4 920F5163
BB9E155C 6E15B192 99F4F589 F12286AB B0832C07 D2D99E6E 1C538AFF 32CFC871
E688218E 7742B9ED E77C51B9 43765ABC A2F55A43 FCC2B7E4 5985659E D6DBA439
11CE0076 D75FA9D2 AACB914D A1F8A0C9 952306B7 ABB6DFC2 CFFDE5CC F1C2B44F
934F0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17536563 74696F6E 32352E73 65637469 6F6E3235 2E6E6574
301F0603 551D2304 18301680 14967F15 FC03A875 76D35D6F 952B260F 808D44B9
3B301D06 03551D0E 04160414 967F15FC 03A87576 D35D6F95 2B260F80 8D44B93B
300D0609 2A864886 F70D0101 04050003 818100BA 7491DD11 F5678139 5402C451
3EC8CBF1 5975A977 325EC1B1 ACD1B33E 357E75BA DAF713EA FF90DD94 E2786A4D
9AE4B256 79075A34 946D84F1 3E80FFCE F5EC677E 433F4806 1BDA0359 0A567BB8
99C61B0C C57632C3 DE5306C7 6ACEE424 FC556A67 48F1250C BC4C22CB C1E60635
AAE4BC36 8E8FDD98 C8B0A572 56CEDF54 1A6DE8
quit
username administrator privilege 15 secret 5 $1$50m1$jdy4t
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 98.172.61.226 255.255.255.224
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_HIGH out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_HIGH in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 98.172.61.225
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.102 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.102 21 98.172.61.226 21 extendable
ip nat inside source static tcp 192.168.1.102 23 98.172.61.226 23 extendable
ip nat inside source static tcp 192.168.1.102 25 98.172.61.226 25 extendable
ip nat inside source static tcp 192.168.1.102 110 98.172.61.226 110 extendable
ip nat inside source static tcp 192.168.1.102 443 98.172.61.226 443 extendable
ip nat inside source static tcp 192.168.1.102 2525 98.172.61.226 2525 extendable
ip nat inside source static tcp 192.168.1.102 2552 98.172.61.226 2552 extendable
ip nat inside source static tcp 192.168.1.102 25 98.172.61.227 25 extendable
ip nat inside source static tcp 192.168.1.110 80 98.172.61.227 80 extendable
ip nat inside source static tcp 192.168.1.102 110 98.172.61.227 110 extendable
ip nat inside source static tcp 192.168.1.110 443 98.172.61.227 443 extendable
ip nat inside source static tcp 192.168.1.102 2525 98.172.61.227 2525 extendable
ip nat inside source static tcp 192.168.1.102 2552 98.172.61.227 2552 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 98.172.61.224 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 98.172.61.226 eq smtp
access-list 101 permit tcp any host 98.172.61.227 eq www
access-list 101 permit tcp any host 98.172.61.226 eq www
access-list 101 permit udp host 68.1.208.30 eq domain host 98.172.61.226
access-list 101 permit udp host 68.11.16.30 eq domain host 98.172.61.226
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 98.172.61.226 echo-reply
access-list 101 permit icmp any host 98.172.61.226 time-exceeded
access-list 101 permit icmp any host 98.172.61.226 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host 98.172.61.227 eq smtp
access-list 102 permit tcp any host 98.172.61.227 eq 2552
access-list 102 permit tcp any host 98.172.61.227 eq 2525
access-list 102 permit tcp any host 98.172.61.227 eq 443
access-list 102 permit tcp any host 98.172.61.227 eq pop3
access-list 102 permit tcp any host 98.172.61.227 eq www
access-list 102 permit tcp any host 98.172.61.226 eq 2552
access-list 102 permit tcp any host 98.172.61.226 eq 2525
access-list 102 permit tcp any host 98.172.61.226 eq pop3
access-list 102 permit tcp any host 98.172.61.226 eq telnet
access-list 102 permit tcp any host 98.172.61.226 eq ftp
access-list 102 permit tcp any host 98.172.61.226 eq smtp
access-list 102 permit tcp any host 98.172.61.226 eq www
access-list 102 permit udp host 68.1.208.30 eq domain host 98.172.61.226
access-list 102 permit udp host 68.11.16.30 eq domain host 98.172.61.226
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 98.172.61.226 echo-reply
access-list 102 permit icmp any host 98.172.61.226 time-exceeded
access-list 102 permit icmp any host 98.172.61.226 unreachable
access-list 102 permit tcp any host 98.172.61.226 eq 443
access-list 102 permit tcp any host 98.172.61.226 eq 22
access-list 102 permit tcp any host 98.172.61.226 eq cmd
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER
I thought about stuff like that and I don't believe there is anything locally that would stop it. Before I implemented the Cisco router, I was using a Linksys and this problem didn't exist. If I switch back to the linksys router, I can access these sites.
The worksations are using windows 2000, no firewall, I removed the AV and the problem still exists. I ran Ad-aware and cleaned up the pc's and the problem still exists. It is the same for all of the workstations so I really don't think it is a local problem. All of the ps'c go through the router and they all have the same issue accessing certain websites.
I also think it has something to do with permissions or scripting or something. Because I can get to eveything on the Experts Exchange website as a guest but when I try to log in, I don't get any errors, it just keeps brining me back to the login page.
For instance, at the Kodak web site, I can see the preview, but when I try to log in to see the slideshow, I get an error saying the page timed out. It will never let me log in.
I don't know what the heck is going on with Yahoo. I can't get to a single page that ends in yahoo.com.
There are handful of other sites that I have problems with but about 99% of the web pages I go too are fine. I can log into other sites just not EE (and apparently Kodak).
I'm not familiar enough with Cisco configs to start experimenting and poking around so I was hoping someone could look at the config and say 'you need to remove this line' or 'change this setting because that will cause your problem.'
The worksations are using windows 2000, no firewall, I removed the AV and the problem still exists. I ran Ad-aware and cleaned up the pc's and the problem still exists. It is the same for all of the workstations so I really don't think it is a local problem. All of the ps'c go through the router and they all have the same issue accessing certain websites.
I also think it has something to do with permissions or scripting or something. Because I can get to eveything on the Experts Exchange website as a guest but when I try to log in, I don't get any errors, it just keeps brining me back to the login page.
For instance, at the Kodak web site, I can see the preview, but when I try to log in to see the slideshow, I get an error saying the page timed out. It will never let me log in.
I don't know what the heck is going on with Yahoo. I can't get to a single page that ends in yahoo.com.
There are handful of other sites that I have problems with but about 99% of the web pages I go too are fine. I can log into other sites just not EE (and apparently Kodak).
I'm not familiar enough with Cisco configs to start experimenting and poking around so I was hoping someone could look at the config and say 'you need to remove this line' or 'change this setting because that will cause your problem.'
if you remove the policy what happens ? is it ok ?
Router(config)# no appfw policy-name SDM_HIGH
Router(config)# no appfw policy-name SDM_HIGH
ASKER
I'll check and let you know.
Thanks.
Thanks.
ASKER
neos2k1,
Thanks for the suggestion, but that did not change anything.
Thanks for the suggestion, but that did not change anything.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good to know you manged to solve the problem. ;)
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
Vee_Mod
Community Support Moderator
Hello section25, could you please post the commands that you used in your Cisco to solve the problem? I'm gettiing the same issues in my Cisco851, but I cannot find the commands to be set on it.
Thanks
Thanks
Maybe there is a policy not to allow users on those websites set up on the server or on each machine individually.
Any AV, firewalls ... installed ?